ESET Reports Global Surge in State-Aligned Cyberespionage and Destructive Attacks
ESET reported sustained global activity by China-, Iran-, North Korea-, and Russia-aligned threat actors across Q4 2025 and Q1 2026, with operations closely tied to geopolitical priorities. China-aligned groups targeted government, maritime, energy, and technology organizations in countries including Venezuela, Syria, Cambodia, Panama, and South Korea, and also abused Ivanti VPN environments. Iran-linked activity shifted during the late-February 2026 war in Iran: established APT operations declined, while proxy, hacktivist, and unattributed actors increased attacks against Israel and other perceived adversaries, including the use of destructive tooling described as a bootkit-style wiper.
North Korea-aligned actors continued social-engineering and supply-chain campaigns aimed at developers and cryptocurrency ecosystems, including a Lazarus-linked compromise of the axios JavaScript library, while Andariel resurfaced in South Korea using TigerRAT and attempting ransomware deployment. Russia-aligned groups remained heavily focused on Ukraine, with Sednit targeting military and drone-related entities and Sandworm escalating destructive operations, including a December 2025 incident at a Polish energy company attributed with medium confidence. ESET also documented browser-in-the-browser phishing against a Japanese think tank, Asin Android spyware targeting Arabic-speaking users, and the compromise of a UAE defense company through a SmartOffice CRM server.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ESET publishes APT Activity Report for Q4 2025-Q1 2026
ESET published its APT Activity Report covering Q4 2025 through Q1 2026, describing sustained activity by China-, Iran-, North Korea-, and Russia-aligned threat actors across multiple regions and sectors.
Iran-linked activity shifts during late-February 2026 war
According to ESET, during the late-February 2026 war in Iran, activity from established Iran-aligned APT groups decreased while proxy, hacktivist, and unattributed attacks increased against Israel and other perceived adversaries, including use of destructive tooling such as a bootkit-style wiper.
Sandworm attacks a Polish energy company
ESET reported that Sandworm escalated destructive activity and included a December 2025 incident affecting a Polish energy company, which it attributed with medium confidence.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Middle East Conflict Triggers Spike in State-Linked Espionage and Malware Campaigns
Escalating conflict following **Operation Epic Fury** (US/Israel strikes inside Iran) has coincided with increased cyber activity targeting Middle East and adjacent interests. Proofpoint reported that Iran-aligned **TA453** (*Charming Kitten / Mint Sandstorm / APT42*) continued intelligence collection during the conflict, including a **credential-phishing** attempt against a US think tank observed on **8 March**, and noted additional campaigns against Middle East government organizations with suspected links to multiple state or state-aligned actors (including suspected attribution to **China, Belarus, Pakistan, and Hamas**). Despite reported Iranian internet shutdown measures after the initial strikes, espionage-focused operations were assessed as ongoing. Check Point Research separately identified China-linked activity targeting **Qatar**, using conflict-themed lures (e.g., fake “war news”/damage imagery) to deliver malware, including **PlugX** and **Cobalt Strike**, with tradecraft described as a multi-stage chain involving a compromised server and **DLL hijacking** via a legitimate application (*Baidu NetDisk*) to load the backdoor—highlighting rapid weaponization of breaking news to target **energy** and **military** sectors. Other items in the set were not part of this conflict-driven espionage theme: one report described a Russian-speaking **‘BlackSanta’** BYOVD-based “EDR killer” delivered via HR workflow abuse and steganographic images, and a weekly threat bulletin summarized unrelated breaches and research (e.g., AkzoNobel, LexisNexis, Wikimedia worm, TriZetto, and AI-related threats).
Mar 21, 2026
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
Mar 31, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026